CVE-2026-22733
Received Received - Intake
Authentication Bypass in Spring Boot Actuator Affects Spring Security

Publication date: 2026-03-20

Last updated on: 2026-04-23

Assigner: VMware

Description
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints.Β This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-22733
EUVD
EUVD-2026-13349
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
vmware spring_boot to 2.7.32 (exc)
vmware spring_boot From 3.3.0 (inc) to 3.3.18 (exc)
vmware spring_boot From 3.4.0 (inc) to 3.4.15 (exc)
vmware spring_boot From 3.5.0 (inc) to 3.5.12 (exc)
vmware spring_boot From 4.0.0 (inc) to 4.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


How can this vulnerability impact me? :

This vulnerability can allow attackers to bypass authentication controls on affected Spring Boot applications. As a result, unauthorized users may gain access to sensitive application endpoints that are supposed to be protected, potentially leading to exposure of sensitive data or unauthorized actions within the application.


Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-22733 is a high-severity authentication bypass vulnerability that affects Spring Boot applications using Actuator and Spring Security. It occurs when an application endpoint that requires authentication is declared under a subpath of the CloudFoundry Actuator endpoints, such as "/cloudfoundryapplication/admin". This misconfiguration can cause authentication controls to be bypassed, allowing unauthorized access.'}, {'type': 'paragraph', 'content': 'The vulnerability requires all of the following conditions: the application is a web application, the Actuator dependency is present, the Spring Security dependency is present, and the application contributes an authenticated endpoint under a CloudFoundry Actuator subpath.'}, {'type': 'paragraph', 'content': 'Affected Spring Boot versions include 4.0.0 to 4.0.3, 3.5.0 to 3.5.11, 3.4.0 to 3.4.14, 3.3.0 to 3.3.17, and 2.7.0 to 2.7.31.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation for this vulnerability is to upgrade the affected Spring Boot and Spring Security versions to the fixed releases.

  • Upgrade Spring Boot 4.0.x to 4.0.4 (Open Source)
  • Upgrade Spring Boot 3.5.x to 3.5.12 (Open Source)
  • Upgrade Spring Boot 3.4.x to 3.4.15 (Commercial)
  • Upgrade Spring Boot 3.3.x to 3.3.18 (Commercial)
  • Upgrade Spring Boot 2.7.x to 2.7.32 (Commercial)

No additional mitigation steps are necessary beyond upgrading. It is also advised to avoid mapping application endpoints under infrastructure endpoints like Actuators to prevent configuration conflicts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart